Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot modify/delete/change permissions on a registry key


  • Please log in to reply
7 replies to this topic

#1 Axelhander

Axelhander

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 10 February 2009 - 01:13 PM

A few weeks ago, my cousin's machine (Windows XP SP3), using an outdated version of Java, was hit by a rather nasty Virtumonde infection. Tackling this when my schedule allowed, it took a good week for me to finally find out what Virtumonde is (I used to do IT work but moved on years ago) and how to best destroy it. I used HijackThis, AVG, HouseCall, Panda ActiveScan (which left a sour taste in my mouth), Combofix, Spybot, Smitrem (as Spybot told me it found a Smitfraud variant), AntiMalware, AdAware, SDFix, and a bunch of manual deleting of files in safe mode command prompt. Finally got to the point where no infections are found scanning with AVG and Spybot, though HouseCall still finds some sort of "generic" infection that it has no additional info for (and won't remove) and ActiveScan says that there's a "latent" Virtumonde file on my machine, but wants money to remove it. Money I'm not paying.

I should note: before starting any of this I uninstalled Java, and after it all I installed the latest version.

Anywho, a few days ago, my cousin wanted to play Phantasy Star Online Blue Burst. AVG 7.5 (kept up to date) says it's a threat. It's said this before, and given that I've seen other players get this warning online but run the program anyway with no ill effects, I assume it's a false positive (the executable is psobb.exe). Regardless, scanning the file on my own machine with AVG 8, it seems not to see psobb.exe as a threat. So, as a matter of convenience, I have my cousin uninstall AVG 7.5 and install 8.

However, the installation process stops midway, as the installer cannot write a key to HKLM/Software/Microsoft/Windows NT/CurrentVersion/Windows. So I try to view this key and I'm told I don't have permissions. My cousin has two accounts on her machine; hers and the default XP admin account. Both are administrators. I try to view the key on either, and I can't. I can't add to it, modify it, or delete it. At all. I try, with both accounts, to add permissions to each branch leading to that key; I give Full Control to admins, power users, the Everyone account, and add the two machine accounts to the list as well. No luck.

So I do a search online and find that I'm not alone in encountering this issue. I try a tool from AVG meant to completely destroy past installations of its software; no luck after running that.

I tried this, both in normal and safe mode: http://freeforum.avg.com/read.php?12,14970...9709#msg-149709. No luck.
I tried this, after, again in both modes: http://freeforum.avg.com/read.php?13,160321,162947. No luck.

I tried another bout of scans with Spybot and HouseCall, and neither finds anything other than HouseCall's cryptic "generic" infection.

One thing I didn't do is run another HijackThis scan, and I'm having my cousin run one and send me the log file. Otherwise, I'm completely out of ideas. Is the machine still infected? Is it something else entirely? Any help would be greatly appreciated and, if my plans to take over the solar system ever do come to fruition, the planet Mercury belongs to whoever can help me.

BC AdBot (Login to Remove)

 


#2 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 10 February 2009 - 02:05 PM

You could run a scan with malwarebytes to check for any infections?

There is a set of instructions here you may find helpful to follow

http://www.bleepingcomputer.com/forums/ind...t&p=1090844

if you do run the scan you can post the report for someone to check out for you :thumbsup:

#3 Axelhander

Axelhander
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 10 February 2009 - 08:09 PM

You could run a scan with malwarebytes to check for any infections?

There is a set of instructions here you may find helpful to follow

http://www.bleepingcomputer.com/forums/ind...t&p=1090844

if you do run the scan you can post the report for someone to check out for you :thumbsup:


Ran another scan (though I did a Full Scan instead of just Quick; that shouldn't be a problem, right?). It found a Virtumonde DLL remnant, but given that no other Virtumonde-related stuff appeared I'm assume the file was latent. Found some other stuff. Removed everything it found. STILL can't access that registry key. I also perused her HJT log and found nothing that looks suspicious, though I'm not against it passing in front of another set of eyes.

Here's the MBAM log. Thanks again for your advice!
________

Malwarebytes' Anti-Malware 1.33
Database version: 1745
Windows 5.1.2600 Service Pack 3

2009-02-10 6:02:17 PM
mbam-log-2009-02-10 (18-02-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136776
Time elapsed: 1 hour(s), 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\atlxitpv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Edited by Axelhander, 10 February 2009 - 08:12 PM.


#4 Ralph T. Dog

Ralph T. Dog

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 11 February 2009 - 02:26 PM

I have this same problem on a bunch of computers here: what you may need to do is to take ownership of the registry key:
hklm\software\microsoft\windows nt\currentversion\Windows

once you have done that you should be able to see all the subkeys. I am not sure what causes it but I have spent hours on this on a bunch of computers.
right click the key and then choose permissions, click the advanced button, click the owner tab and set the owner as the machines administrators group. once that is done, you should be able to install the software and remove any infections.

RTD.

#5 Axelhander

Axelhander
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 12 February 2009 - 02:59 PM

I have this same problem on a bunch of computers here: what you may need to do is to take ownership of the registry key:
hklm\software\microsoft\windows nt\currentversion\Windows

once you have done that you should be able to see all the subkeys. I am not sure what causes it but I have spent hours on this on a bunch of computers.
right click the key and then choose permissions, click the advanced button, click the owner tab and set the owner as the machines administrators group. once that is done, you should be able to install the software and remove any infections.

RTD.


Thank you, good sir. I will try this the moment I get home.

#6 Axelhander

Axelhander
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 17 February 2009 - 10:36 AM

Attempted to change the owner to Administrator. Reboot and still no luck. Changed it back to my cousin's user, rebooted... still cannot modify the key.

#7 Ralph T. Dog

Ralph T. Dog

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 17 February 2009 - 11:08 AM

I want to be that you can not open the key at all, nor can you see the key, is that correct?

go to the key above it and take ownership, but make sure that you check the include inheritable and replace all ( I am not sure of the exact text.)

Let me know

#8 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 17 February 2009 - 04:23 PM

You could run a scan with superantispyware; you will find a set of instructions in the second part of this post

http://www.bleepingcomputer.com/forums/ind...t&p=1132958

Can you let us know which is the installed antivirus program and does the computer have System Restore enabled and available?

You may need to run VundoFix but , given Forum Guidelines on who may give you such instructions

http://www.bleepingcomputer.com/forums/t/182397/am-i-infected-what-do-i-do-how-do-i-get-help-who-is-helping-me/
I beleive you may need a Staff Member to actually give you those instructions and authorise the running of that tool




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users